IT Security News Blast 9-1-2017

US District Judge Lucy Koh ruled late on Wednesday that a class-action lawsuit can go forward because all the plaintiffs have an “alleged risk of future identity theft” as well as a “loss of value of their personal identification information”. Some of the plaintiffs had spent money to try to protect themselves from identity theft, she added. She rejected Yahoo’s argument that the hacking victims do not have standing to sue, saying they could pursue breach of contract and unfair competition, because they could have taken action to close their accounts if they had known about the data breaches.

“With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems,” said Vullo.

Two-thirds of company bosses ‘see cyber security investment as a financial opportunity not a burden’

It also found security was firmly part of the CEO agenda, rather than falling solely into the remit of CIOs or chief information security officers. More than three-quarters (77%) of CEOs agreed with the statement: ‘I am personally comfortable with the degree to which mitigating cyber risk is now part of my leadership role’. The outlook also found business leaders were not fully prepared for a cyber event such as an employee-led data breach or business data theft. Only half of those surveyed (52%) believe they are ‘fully prepared’ for both eventualities.

Securing the IoT in a healthcare environment requires communication and understanding. Executive leadership must understand that with these tremendous advantages comes additional responsibility. Agreement must be reached that any device requiring connectivity be vetted prior to purchase. Baseline requirements should be established around antivirus, patching and routing. In addition, departments that have traditionally run their own shops now need to partner with IT in discussions regarding purchasing, and later, deploying connected devices.

Another issue within the industry is that technology isn’t implemented as quickly as it becomes available, with health care IT facing particular cultural challenges. “In many hospitals, there has been a common culture in which doctors’ preferences have been heavily weighted, making it difficult for IT to implement change,” Mellen says, adding that the culture is changing. “Cybersecurity initiatives that had once been blocked due to ‘possible outages that could impact patient safety,’ are now being welcomed in order to improve patient safety.”

Navy investigators have found no evidence that cyber intrusions played a part in the serious collisions of two guided-missile destroyers in the past three months, the Navy’s chief of naval operations said Wednesday. […] “It is sort of a reality of our current situation that part of any kind of investigation or inspection is going to have to take a look at the computer, the cyber — you know, the informational warfare aspect — of our business.

While I support the administration’s decision to elevate Cyber Command, its stated reasons for doing so are overdrawn. The true benefits are long-term and bureaucratic. Elevating Cyber Command is only one step on the road to turning it into something else: an institution less intertwined with the intelligence community and better integrated with the other elements of the military. Before turning to what I see as the real benefits, let’s review the administration’s arguments for why elevation matters.

The researchers’ ‘Watch, Listen, Attend and Spell’ (WLAS) neural network algorithm learned to transcribe videos of mouth motion to characters, using over 100,000 sentences from the videos, using thousands of hours of subtitled BBC television videos. If threat actors where to weaponize this kind of technology, researchers suggest people may need to consider covering their mouths when speaking on sensitive topics around devices with cameras or at least mumbling their words.

“AI will soon be able to measure productivity based on the quality of work produced,” said Ran Craycraft, a Managing Partner at the machine learning company Wildebeest. “Writers’ productivity could easily be measured based on the volume, complexity, and emotion of the stories they produce. In sales, the number of emails sent and the ratio of positive to negative responses could be an additional metric that factors into a salesperson’s compensation.”

“Malware has existed since at least 2011 that harvest’s bitcoin wallets. Crypto-currency is becoming more mainstream. Ransomware has certainly bought it to the fore and now the public are aware of it, thus more people use it, there is more money contained within those systems and cybercriminals follow the money. They see it as a good ROI for them,” Carl Leonard, principal security analyst at Forcepoint, told SC Media.

Regulators are the catalyst for stronger measures in cyber security, and new regulation from the EU is going to have a serious impact on organizations that process EU citizen data. After four years of diligence and debate, The EU Parliament approved the Global Data Protection Regulation (GDPR) on April 14, 2016. It will enter into effect on May 25, 2018, at which time those organizations in non-compliance will face heavy fines.

On August 31 WikiLeaks posted a link to the CIA’s Engineering Development Group user manual for the implant Angelfire v2.0, but at the same time the hacking group Ourmine managed to grab WikiLeaks homepage posting a black, red and white message mocking the group and saying the takeover was in retribution for a previous doxxing by WikiLeaks on Ourmine.

WikiLeaks suffered a cyber attack earlier today, but that couldn’t stop the whistleblowing platform from publishing the latest trove of data of CIA’s Vault 7 series documents. Codenamed project Angelfire, the set of five hacking tools was developed to target unsuspecting users on Windows operating system including Windows XP and Windows 7. According to leaked documents, the tools were named as 1: Solartime, 2: Wolfcreek, 3: Keystone (previously MagicWand), 4: BadMFS, and 5: the Windows Transitory File system.

Before Donald Trump’s election—and before racist gunman Dylann Roof murdered nine black people in Charleston last year—it was easier to dismiss sites like the Daily Stormer. Yes, these were watering holes for evil ideology, but they fundamentally felt like powerless kooks. Nowadays, more people are taking words and threats from extremist groups seriously. Liberal activists have mobilized against these groups, and they’ve found a receptive audience among technology leaders.

Instagram has confirmed the hack and said in a statement that: “We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information—specifically email address and phone number—by exploiting a bug in an Instagram API. No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation.”

At first glance, the Instagram security bug that was exploited to obtain celebrities’ phone numbers and e-mail addresses appeared to be limited, possibly to a small number of celebrity accounts. Now a database of 10,000 credentials published online Thursday night suggests the breach is much bigger. The database was provided by someone who e-mailed in response to Thursday’s story, mentioned above, about the Instagram breach. The sender said he was able to scrape personal data belonging to 6 million users and was selling the data in a searchable website for $10 per query. The person provided a sample of 10,000 of those records.

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.